Loading...
 
Skip to main content

Composer package version strategy

This is a discussion about how to use Composer


Situation: As of 2017-08-26, composer.json has a mixed usage of the Version Constraints for Composer dependencies. For example, jQuery was updated from 3.1 to 3.2 without anyone really noticing (and all went well). Yet, for others like PivotTable.js, we are locked at v2.7.0 , while upstream is at 2.14.0 A jQuery upgrade is arguably more risky than for PivotTable.js

What should be our strategy? Recommended background reading: Why your software project will slowly die without continuous updating

Goals

Some of these goals conflict, so it will be about balancing trade-offs

Potential strategies

Strategy #1

  • Trunk always up to date within version (5.5 -> 5.x)
  • Major upgrades done manually (ex.: 5 -> 6)
  • After x years, LTS branches are locked to current version
    • Only security fixes are done, so put in place a process to update packages for security fixes


Pros:

  • Constantly staying up to date


Cons

  • Things can break in the background while no one is looking. Could be hard to debug.

Strategy #2

  • No automatic upgrades
  • Developers upgrade packages after having tested them
  • Put in place a process to update packages for security fixes


Pros:

  • Less chance of an upgrade breaking something


Cons

  • Not taking advantage of enhancements


Strategy #3

  • Trunk always up to date within minor version (5.5.2 -> 5.5.x)
  • Major (5 -> 6) and medium (5.2 -> 5.3) upgrades done manually
  • After x years, LTS branches are locked to current version
    • Only security fixes are done, so put in place a process to update packages for security fixes


Pros:

  • Less chance of an upgrade breaking something


Cons

  • Not taking advantage of enhancements
  • Doesn't apply for some libs, because they don't have 5.5.2 -> 5.5.x, but only 5.5 -> 5.x


Strategy #4

  • No global strategy. It's a case by case choice by developers. Even if this is the choice, it should be more explicit and some global pros and cons should be listed to help developers choose.


Pros:

  • Provides flexibility to choose according to the context (although exceptions can be made with the other proposed strategies)


Cons

  • Inconsistency
  • Developers don't know what is appropriate (not great for new developers)

Show PHP error messages